new mytob variant of today

Discussion in 'other anti-virus software' started by IBK, Apr 18, 2006.

Thread Status:
Not open for further replies.
  1. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    Hi,

    just for fun and information: at Midnight I got a new Mytob variant from an user. At that time it was detected only by:
    BitDefender BehavesLike:Win32.AV-Killer (suspected)
    eSafe Trojan/Worm [101] (suspicious)
    Fortinet suspicious
    McAfee New Malware.p (trojan or variant)
    Nod32 NewHeur_PE (probably unknown virus)
    Panda Suspicious file
    QuickHeal Suspicious (warning)
    Trend Micro PAK_Generic.001
    VBA32 Backdoor.xBot.16 (suspected)

    12 hours later it is detected by:
    AntiVir Worm/Mytob.EF.1
    AVG I-Worm/Bagle.LB
    BitDefender BehavesLike:Win32.AV-Killer (suspected)
    eSafe Trojan/Worm [101] (suspicious)
    Ewido Worm.Mytob.ef
    F-Secure Net-Worm.Win32.Mytob.ef
    Fortinet (BETA) W32/MyTob.EF!worm.im
    Ikarus Net-Worm.Win32.Mytob.ef
    Kaspersky Net-Worm.Win32.Mytob.ef
    McAfee (BETA) W32/Mytob.gen@MM
    Nod32 NewHeur_PE (probably unknown virus)
    Panda Suspicious file
    QuickHeal Suspicious (warning)
    Trend Micro PAK_Generic.001
    VBA32 Backdoor.xBot.16 (suspected)

    not detected by:
    Avast!, ClamAV, Command, Dr Web, eTrust-INO, eTrust-VET, F-Prot, Microsoft, Norman, Sophos, Symantec, VirusBuster.

    I will keep you updated here in this post ;).
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Thanks IBK.

    Shows a few things.The importance of heuristics and just how many companies aren't on top of things, even 12 hours later.Especially Norton, with it's prominence in the market, "unexceptable".Twelve hours is a huge window for infection and why getting " a deal " on an AV sometimes " isn't a deal ".
     
  3. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    Detected within 18 hours:
    AntiVir Worm/Mytob.EF.1
    AVG I-Worm/Bagle.LB
    BitDefender BehavesLike:Win32.AV-Killer (suspected)
    Command W32/Mytob.VI@mm (exact)
    Dr Web Win32.HLLM.MyDoom.95
    eSafe Trojan/Worm [101] (suspicious)
    Ewido Worm.Mytob.ef
    F-Prot W32/Mytob.VI@mm (exact)
    F-Secure Net-Worm.Win32.Mytob.ef
    Fortinet (BETA) W32/MyTob.EF!worm.im
    Ikarus Net-Worm.Win32.Mytob.ef
    Kaspersky Net-Worm.Win32.Mytob.ef
    McAfee (BETA) W32/Mytob.gen@MM
    Nod32 NewHeur_PE (probably unknown virus)
    Norman W32/Mytob.ZC@mm
    Panda Suspicious file
    QuickHeal Suspicious (warning)
    Trend Micro (BETA) WORM_MYTOB.PL
    VBA32 Net-Worm.Win32.Mytob.ef
    VirusBuster I-Worm.Mytob.RD

    not detected by:
    Avast!, ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec
     
  4. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    At least there are within 18 hrs some av-vendors, which prefer definitions albeit they at first detected this nasty by proactive methods. :)

    Fortinet (BETA) W32/MyTob.EF!worm.im
    McAfee (BETA) W32/Mytob.gen@MM
    Trend Micro (BETA) WORM_MYTOB.PL
    VBA32 Net-Worm.Win32.Mytob.ef


    Best regards,
    Firefighter!
     
    Last edited: Apr 18, 2006
  5. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, congratulation again for NOD32 and also for Bit Defender. KAV needs to improve its heuristic engine.... they would have gain much more if they have done it in version 6 but unfortunately they added only the proactive defence system. Symantec and MS are really slow. MS should make something if they want to hit the market with their OneCare
     
  6. wawy

    wawy Registered Member

    Joined:
    Feb 17, 2006
    Posts:
    23
    hello all,

    about kav, i find this on http://www.viruslist.com/en/index.html

    and roel http://www.viruslist.com/en/weblog was speaking about an update with the name : Net-Worm.Win32.Mytob.eg ?!

    and you post today 05:45 PM.

    :blink:
     
  7. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
  8. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Next big project for Kaspersky is a new heuristic engine. Some of the development team for Version 6 are tasked with that. So they are aware and working on it. :)
     
  9. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Yes, I know that but it have been quite nice to have a new heuristic engine in version 6. :D
     
  10. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    Great news :).
     
  11. wawy

    wawy Registered Member

    Joined:
    Feb 17, 2006
    Posts:
    23
    ok, thank you
     
  12. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    After 20 hours:
    AntiVir Worm/Mytob.EF.1
    Avast! Win32:Mytob-QI [Wrm]
    AVG I-Worm/Bagle.LB
    BitDefender BehavesLike:Win32.AV-Killer (suspected)
    Command W32/Mytob.VI@mm (exact)
    Dr Web Win32.HLLM.MyDoom.95
    eSafe Trojan/Worm [101] (suspicious)
    Ewido Worm.Mytob.ef
    F-Prot W32/Mytob.VI@mm (exact)
    F-Secure Net-Worm.Win32.Mytob.ef
    Fortinet (BETA) W32/MyTob.EF!worm.im
    Ikarus Net-Worm.Win32.Mytob.ef
    Kaspersky Net-Worm.Win32.Mytob.ef
    McAfee W32/Mytob.gen@MM
    Nod32 NewHeur_PE (probably unknown virus)
    Norman W32/Mytob.ZC@mm
    Panda (BETA) W32/Mytob.NV.worm
    QuickHeal Suspicious (warning)
    Trend Micro (BETA) WORM_MYTOB.PL
    VBA32 Net-Worm.Win32.Mytob.ef
    VirusBuster I-Worm.Mytob.RD

    Not detected by: ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec.
     
  13. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Who cares? When KAV was capable to detect this nasty within a couple of hrs as the majority of ALL other nasties too. This situation is far more safer than that you are detecting about 60 % of all nasties with proactive methods but the rest only AFTER some 3...6 weeks. :blink:

    Best regards,
    Firefighter!
     
    Last edited: Apr 19, 2006
  14. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    probably everyone which want to be protected...

    not true...; even KAV has samples since years that they still not have added... Samples are added on a per-need base even by KAV.
     
  15. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Which would probably have detected this one. ;)
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, of course every AV has its own weak and strong points. Hope that 3...6 weeks will transform in 3...6 days or even better...days.

    Don_Pelotas...it may be possible.. I don't know exaclty how does ProActive feature works but it's better to detect it before running the file.
     
  17. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    That's why we need other tests than pure detecting rate tests too. What if we can see tests, which are measuring update delays as cumulative missed hrs for example? Those proactive detected samples are of course welcome to this kind of tests too as zero hour missed hrs. We need only, let's say, about 4 weeks all kind of new nasties collection, at least 10k of samples to test with. :)

    In my mind this kind of test is measuring quite well the whole security level of av:s :cool:

    Best regards,
    Firefighter!
     
  18. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    if such a thing would be possible to do, it would be already done. but it is impossible. :doubt:
     
  19. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    I agree that. Right attitude. ;)

    Best regards,
    Firefighter!
     
  20. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    We have seen a man in the moon, which many of people a couple of decades ago thought that it was impossible! :D

    Best regards,
    Firefighter!
     
    Last edited: Apr 18, 2006
  21. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It already is possble and detecting the malware when it executes is not worse than detecting it via an on-demand scan (or http scan), it just makes you feel more protected without being so.:)
     
  22. Miyagi

    Miyagi Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    420
    Location:
    Honolulu, Hawaii
    Thank you for the test IBK! This really shows the effectiveness of the engine and how fast av vendors add the signatures. Nice to see ewido adding it to their database in the 12 hr time frame.
     
  23. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,818
    Location:
    Innsbruck (Austria)
    After 24 hours:
    AntiVir Worm/Mytob.EF.1
    Avast! Win32:Mytob-QI [Wrm]
    AVG I-Worm/Bagle.LB
    BitDefender BehavesLike:Win32.AV-Killer (suspected)
    Command W32/Mytob.VI@mm (exact)
    Dr Web Win32.HLLM.MyDoom.95
    eSafe Trojan/Worm [101] (suspicious)
    Ewido Worm.Mytob.ef
    F-Prot W32/Mytob.VI@mm (exact)
    F-Secure Net-Worm.Win32.Mytob.ef
    Fortinet (BETA) W32/MyTob.EF!worm.im
    Ikarus Net-Worm.Win32.Mytob.ef
    Kaspersky Net-Worm.Win32.Mytob.ef
    McAfee W32/Mytob.gen@MM
    Nod32 Win32/Mytob.SK worm
    Norman W32/Mytob.ZC@mm
    Panda (BETA) W32/Mytob.NV.worm
    QuickHeal Suspicious (warning)
    Trend Micro (BETA) WORM_MYTOB.PL
    VBA32 Net-Worm.Win32.Mytob.ef
    VirusBuster I-Worm.Mytob.RD

    not detected by: ClamAV, eTrust-INO, eTrust-VET, Microsoft, Sophos, Symantec.
     
  24. TAP

    TAP Registered Member

    Joined:
    Aug 17, 2004
    Posts:
    344
    If new mytob variant is a mass-mailing worm so it may detected by heuristics in avast! mail scanner module that cannot be tested as an on-demand scan.
     

    Attached Files:

    Last edited: Apr 18, 2006
  25. Durad

    Durad Registered Member

    Joined:
    Aug 13, 2005
    Posts:
    591
    Location:
    Canada
    Whats going on with Symantec? :shifty:
     
Loading...
Thread Status:
Not open for further replies.